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Abstract — In this paper, we introduce the concept of dual 
universality of hash functions and present its applications to 
quantum cryptography. We begin by establishing the one-to- 
one correspondence between a linear function family T and a 
code family C, and thereby defining e-almost dual universal 
hash functions, as a generalization of the conventional universal j 
hash functions. Then we show that this generalized (and thus 
broader) class of hash functions is in fact sufficient for the 
security of quantum cryptography. This result can be explained 
in two different formalisms. First, by noting its relation to the 
5-biased family introduced by Dodis and Smith, we demonstrate 
that Renner's two-universal hashing lemma is generalized to our 
class of hash functions. Next, we prove that the proof technique 
by Shor and Preskill can be applied to quantum key distribution 
(QKD) systems that use our generalized class of hash functions 
for privacy amplification. While Shor-Preskill formalism requires 
an implementer of a QKD system to explicitly construct a linear 
code of the Calderbank-Shor-Steane type, this result removes the 
existing difficulty of the construction a linear code of CSS code 
by replacing it by the combination of an ordinary classical error 
correcting code and our proposed hash function. We also show 
that a similar result applies to the quantum wire-tap channel. 

Finally we compare our results in the two formalisms and show 
that, in typical QKD scenarios, the Shor-Preskill-type argument 
gives better security bounds in terms of the trace distance and 
Holevo information, than the method based on the 5-biased 
family. 



I. Introduction 

Extracting secure uniform random number is an impor- 
tant task for cryptographic applications with the presence 
of quantum leaked information as well as that of classical 
leaked information. For the quantum setting, several extractors 
are proposed, e.g., 2-universal hashing (35), approximate 2- 
universal hashing [40|, sample-and-hash l28l . one-bit extrac- 
tors [27], and Trevisan's extractor (TJ. In this paper, we 
focus on universal hash functions which has a variety 
of cryptographic applications, for example, for the informa- 
tion theoretically secure signatures, the hash functions for 
for privacy amplification ll39l . 0, 1151 and for the wire- 
tap channe Hl20ll . |2TI . The class of universal hash function 
families is the largest class of families of hash functions among 
known classes of families of hash functions guaranteeing the 
strong security. However, there might exist a larger class of 
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hash functions guaranteeing the strong security. If such a class 
exists, we might realize a strongly secure privacy amplification 
with a smaller complexity. It is known that the class of 
universal hash functions is included in the class of e-almost 
universal hash functions[5], ll43l . However, as is shown in 
Section [VIII-B1 there exists an example of e-almost universal 
hash functions that cannot yield the strong security. Hence, we 
have to consider another type of generalization of the class of 
universal hash functions. 

In this paper, in order to seek such a larger class, we restrict 
our hash functions to linear functions on a finite-dimensional 
space over the finite field F2 because a larger part of hash 
functions with a smaller complexity are linear. Under the 
restriction, we can find a one-to-one correspondence between 
a hash function and a linear code by considering the kernel 
of the hash function. Focusing on the dual code of the code 
corresponding to the given hash function, we propose the 
class of e-almost dual universal hash functions as a class 
of families of linear hash functions satisfying the following 
conditions: 



1) 

2) 



The class of families of hash functions contains the class 
of universal hash functions. 

Any family of hash functions in this class yields the 
strong security when the generating key rate is suffi- 
ciently small. 

Hence, the relation among class of families of hash func- 
tions is summarized as Fig. [T] 



example given 
n Subsection VIII. B 



modified Toeplitz 
matrices 




permuted code family 
given in Section IV 



Fig. 1. Relation among hash functions (when e increases as a polynomial 
of n). The modified Toeplitz matrices are given by a concatenation (X, I) of 
the Toeplitz matrix X and the identity matrix /, mentioned in Section HJ 



This fact can be shown by two different approaches. In the 
first approach, we focus on the concept of the <5-biased family, 
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which was introduced by Dodis and Smith |9|. Their results 
have also been extended to the quantum case ( ifTOl , or Lemma 
12 of this paper). Since the main purpose of their original 
results is to correct errors without leaking partial information, 
they do not treat hash functions and privacy amplification. In 
this paper, adding an appropriate discussion to their results 
concerning the <5-biased family, we show the strong security 
for the case where e-almost dual universal hash functions are 
applied in the privacy amplification with a sufficient sacrifice 
bits. Since the bound (LemmaO derived by this approach has 
a form similar to that by Renner 11351 . we need to apply the 
method of smoothing ll22ll . We call this approach the <5-biased 
approach. 

In the second approach, we focus on the relation between 
the phase error probability and the leaked information given 
by the security proof fljD, El, ED of a QKD protocol called 
the Bennett-Brassard 1984 (BB84) protocol [2J. The key point 
of this approach is the error correction in the phase basis by 
using a certain type of random coding. Hence we call this 
approach the phase error correction approach. 

While both approaches derive similar conclusions qualita- 
tively, the security bounds are different even when the same 
e-almost dual universal hash functions are applied. In this re- 
spect, the phase error correction approach has two advantages 
over the i5-biased approach. As the first advantage, in the case 
of the BB84 QKD protocol via a depolarizing channel, as is 
shown in Section IVII-CI the phase error correction approach 
yields better bounds in terms of the trace distance and Holevo 
information, than the <5-biased approach. 

Next in order to explain the second advantage, we consider 
the case where we apply the privacy amplification after the 
error correction. In this setting, we treat a pair of two codes, 
i.e., the larger code for the error correction, and the smaller 
code for privacy amplification. Then the second advantage of 
the phase error correction approach is that it can guarantee 
the strong security with a larger class of families of code 
pairs, than the <5-biased approach. In fact, in order to guarantee 
the strong security in this setting, the i5-biased approach 
requires e-almost dual universal hash functions for a fixed 
error correction code. However, in the phase error correction 
approach, we can relax this requirement for the family of code 
pairs. That is, this approach guarantees the strong security 
with a larger class of families of code pairs. As a concrete 
example of advantage of this concept, we note the construction 
of an appropriate deterministic hash function for a given error 
correction code, which needs the treatment of the security for 
such a larger class of families of code pairs. That is, employing 
the phase error correction approach, we can show the existence 
of a deterministic hash function for a given error correction 
code that is universally secure under the independent and 
identical condition. 

The organization of this paper is as follows. We begin 
in Section [II] by reviewing the conventional universal hash 
functions, i.e., the properties of e-almost universal functions. 
Then we restrict ourselves to linear hash functions over a finite 
field F£, and establish a one-to-one correspondence between 
a linear hash function family T and a linear code family C, 
by using the simple fact that a kernel of a linear function is 



a linear space, and thus can be considered as a code. This 
correspondence does not only allow us to define the code 
family C of a given universal hash function family T, but 
also the dual code family C x corresponding to it. Under this 
setting, interestingly, a simple algebraic argument shows that 
the universality of C (i.e., the property of C being universal) 
also guarantees that of C (see Fig. [TJ. For example, (1) if 
C is universal, or equivalently, 1 -almost universal, then C 
is 2-almost universal, but nevertheless, (2) for an e-almost 
universal code family C with e > 1, the dual code family C 
is not necessarily e-almost universal, as can be seen from an 
explicit counterexample. These results lead us to introduce a 
new class of hash functions called an e-almost dual universal 
hash function family, as a set of hash functions whose kernels 
form an e-almost dual universal code family. This concept 
is indeed a generalization of the conventional universality2, 
since a universal hash function family is a special case of 
our e-almost dual universal family. 

In Section [III] we note a simple relation between our "e- 
almost dual universal family" and the concept of the "6- 
biased family", originally introduced by Dodis and Smith |9| 
for correcting errors without leaking partial information. By 
using this relation, we demonstrate that Renner's two-universal 
hashing lemma ll3~5l Lemma 5.4.3] can be extended to the 
case where an e-almost dual universal hash function family is 
used. Note here that in Refs. J9), IflOl . they did not refer this 
relation with privacy amplification. This result means that the 
hashing lemma is valid for a broader class of hash functions 
than previously thought, since the conventional type of two- 
universal hash functions is a special case of our e-almost dual 
universal hash functions. 

In Section [IV] we introduce the concept of the permuted 
code family, as the set of codes obtained by permuting bits 
of a given code C. Then we show the existence of a code C, 
whose permuted family Cc is (n + l)-almost dual universal, 
with n being the bit length of C. The code C of this type 
is particularly useful when the setting of our communication 
model is invariant under bit permutations, since the average 
performance of the code C equals that of an (n + 1) -almost 
dual universal code family. Due to this property, the permuted 
code family plays a key role in showing the existence of a 
deterministic hash function that works universally for different 
types of channels. 

In Section [V] as a preparation for later sections, we apply 
the results of Sections IH1 and HVl to error correction. We show 
that a code C £ C serves as a good code when it is chosen 
randomly from an e-almost universal code family C. 

In Section [Vl] we apply these results to the security proof 
of a QKD protocol called the Bennett-Brassard 1984 (BB84) 
protocol 0. We use the proof technique of the Shor-Preskill- 
type, which reduces the security of a secret key to the 
error correcting property of the Calderbank-Shor-Steane (CSS) 
quantum error correcting code (e.g., Il37l . ifPTl . BP . [18|). 
This proof technique is elegant and widely used, but also 
has a drawback. That is, it requires the implementation of 
the classical CSS code in actual QKD systems, which can be 
difficult especially for large block lengths (This is not the case 
for Renner's method, where universal hash functions can be 
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used for privacy amplification). Our result solves this diffi- 
culty; even when one uses e-almost dual universal functions 
for privacy amplification, the security can be shown in the 
Shor-Preskill formalism. Note here again that the conventional 
universal function family is a special case of our e-almost 
dual universal families. 

Then, in Section IVIII we apply our results on QKD to the 
quantum wire-tap channel. In this model, a sender Alice has 
channels to two receivers, i.e., an authorized receiver Bob, 
and an unauthorized receiver Eve, often referred to as a wire- 
tapper. The channels from Alice to Bob and to Eve are not 
necessarily restricted to any type, but we assume that they 
are both specified when we analyze the security. The main 
issue here is to obtain an upper bound of leaked information 
with with appropriate transmission rates. The net transmission 
rate can be given as the information transmission rate R' to 
Bob minus the sacrifice bit rate R. The former rate can be 
treated in the framework of error correcting code. The latter 
rate corresponds to a privacy amplification process. 

Under these settings, in Section IVIII we consider a specific 
type of the quantum wire-tap channel where Alice and Bob 
are connected by the Pauli channnel. By applying our results 
on QKD to this model, we show that an e-almost dual 
universal function family is sufficient for removing Eve's 
information. Then by using the invariance of the channel 
under bit permutations, we also show the existence of a 
deterministic hash function that works universally, that is, the 
hash function whose construction does not depend on the 
phase error probability caused by the wire-tapper. We also 
clarify that our evaluation is better than the <5-biased approach 
based on given l9l. iflOl l22l. 

Finally, in Section lVHIl we discuss the relation with existing 
results. In Subsection I VIII- Al we summarize the relation with 
existing results. In Subsection I VIII-Bl we provide an example 
of an e-almost universal hash function family that yields 
insecure bits. In Section IVIII-CI we consider the case where 
one applies the privacy amplification after the error correction. 
Then, we show that the phase error correction approach can 
guarantee the strong security with a larger class of families of 
code pairs than the ^-biased approach. 

II. Dual universality of a code family 

A. Linear universal hash functions as a linear code family 

We start by reviewing the basic properties of universal hash 
functions. Consider sets A and B, and also a function family 
T consisting of functions from A to B; that is, J 7 is a set of 
function T = {f r \r £ 1} with f r : A — > B, where I denotes 
a set of indices r of hash functions. Our purpose is to select 
f r with an equal probability and use them as a hash function, 
and for this purpose, we always let \A\ > \B\ > 2. We say 
that a function family T is e-almost universal^ 0, ll43l . if, 
for any pair of different inputs x\,x%, the collision probability 
of their outputs is upper bounded as 

Pi [/r(sCl) = fr{x 2 )] 
4#{>-^l/rW = /rW}<4. (1) 



The parameter e appearing in (Q} is shown to be confined in 
the region 

\A\ - |*| (2) 



e > 



14-1 



and in particular, a function family T attaining the equality 
of (]2]l is called an optimally universal^ function family [38 1. 
On the other hand, a family T with e = 1 is simply called a 
universal function family. 

There are three important examples of universal hash 
function families: 

> Example 1: Toeplitz matrices (see, e.g., [29]). Let 
{M r | r £ 1} be a set of all m X n Toeplitz matrices. 
Then for an input x £ F 2 l , the output y £ F™ of function 
f r is given by y = xM r . 
m Example 2: Modified Toeplitz matrices (see, e.g., |20|). 
Let T = {T r | r £ 1} be a set of all m x (n— m) Toeplitz 
matrix. Then let M r = (T r ,J m ) be an to x n matrix 
defined by a concatenation of T r and the m-dimensional 
identity matrix I m . For an input x £ FJJ, the output y £ 
FJp of function f r is given by y = xM r . 
These (modified) Toeplitz matrices are particularly useful 
in practice, because there exists an efficient multiplication 
algorithm using the fast Fourier transform algorithm with 
complexity 0(n\ogn) (see, e.g., |12|). 

In this paper, we focus only on linear functions over a finite 
field Fa. We assume that sets A,B are FJJ, F™ respectively 
with n > to, and f r are linear functions over F2. Note that, 
in this case, there is a kernel C r corresponding to each f r , 
which is a vector space of n — to dimensions or more. Also 
note that, conversely, when given a vector subspace C r C F 2 
of h — to dimensions or more, one can always construct a 
linear function 



fr 



VI /C r 



with max l r 



(3) 



This means that, by considering C r as an error-correcting 
coddl we can always identify a linear hash function f r and a 
error correcting code C r 

In this terminology, since n — min r dim C r = to, the 
definition of e-universal2 function family of (Q]) takes the form 



Vz eF™\{0}, Pr f r {x) =0 



< 2" 



(4) 



which can further be rewritten as 

Vx G F' 2 l \ {0}, Pr [x £ C r ] < 2 min " dim c ^ n e. (5) 

This shows that the set of kernel C = {C r \r £ 1} contains 
sufficient information for determining if a function family T = 
{f r \r £ 1} is e-almost universal or not. 

To see this in more detail, we give explicit constructions. 
For later convenience, we denote a generating matrix of a code 
C by G(C), so that the rows of G(C) are basis vectors of C. 

' For the present, we take a standpoint that any vector subspace of F£ is a 
code, whether or not it can actually correct errors. 

2 Note that dim CV = dim Ker f r = n — l T is not a constant in general. 
For example, for the function family defined by multiplication of all normal 
(i.e., unmodified) Toeplitz matrices of Example 1, dimCV varies from n — m 
to n depending on r E I. The special case of dim CV being a constant will 
be discussed in detail in Section Ftl-CI 
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We also denote a parity check matrix of C by H(C), hence 
one may choose H(C) = G(C ± ). If one wants to construct 
C r from f r , let i be a column vector, and define a linear 
function f r as y — f r (x) = M r x by using an m x n-matrix 
M r . Here M r corresponds to a parity check matrix of error- 
correcting code C r , and thus the row vectors of M r spans 
Cy. Conversely, if one wants to construct a linear function 
f r : — > F™ from a code C r , do as follows: First, let l r := 
dim Cy < m, and take a basis of Cy C FJ as {u\, . . . , ui r }, 
and a basis of F™ as {v\, . . . ,v m }. Then define a matrix M r = 

Y!i=l v i u T> and let /rfc) = M r x. 

It should be noted that, in fact, this construction of f r has an 
ambiguity that comes from choices of bases {ui} and {vi}. By 
the above procedure, even when one constructs C r from f r , 
and then f r from the obtained C r , f r and f r may not equal 
in general. In this paper, however, we do not worry about 
this ambiguity, because (i) the ambiguity does not affect the 
property of f r being e-almost universal, and (ii) the ambiguity 
is absent after all when we actually implement and operate 
universal hash functions for cryptographic purposes; in such 
cases, we never think of C r as a vector space, but rather 
specify matrices M r or basis sets of C r explicitly. Note that a 
similar situation happens with error-correcting codes as well; 
i.e., it is convenient to interpret C r as a mathematical vector 
space when one analyzes the code theoretically, but in practice 
one can never implement a code as a program or a circuit 
without specifying the basis vectors, or equivalently, the parity 
check and the generating matrices. 

B. Dual universality of a code family 

From these arguments, we define the universality of error- 
correcting codes as follows. 

Definition 1: We define the minimum (respectively, max- 
imum) dimension of a code family C = {C r \r G 7} as 
£min := min re / dim C r = iriin r6 / n — l r (respectively, 
^max := max re ; dim C r — max re / n — l r ). 

Definition 2: We define the dual code family C of a given 
linear code family C = {C r \r G 1} as the set of all dual codes 
of C r . That is, C 1 - = {C^\r G I}. 

Definition 3: We say that a linear code family C = { C r C 
¥'2 \r G I } of minimum dimension i m ; n is an e-almost 
universal code family of minimum dimension t m ; n , if the 
following condition is satisfied 

V.t G F™ \ {0}, Pr [x G C r ] < 2*"""-™e. (6) 

Relaxing Condition [6] we say that a linear code family C = 
{ C r C FJ I r G / } of maximum dimension £ max is an e- 
almost universal code family of maximum dimension f m j n , 
if the following condition is satisfied 

\/x G Fj \ {0}, Pr [x G C r ] < 2'— - n e. (7) 

As in the case of a universal function family, e is bounded 
from below by © as e > (2™ - 2"-*)/(2™ - 1). For the case 
where e achieves this minimum, we say that C is optimally 
universal. Similarly, if e = 1, we call C a universal code 
family. 



We also introduce the notion of dual universality as follows. 

Definition 4: We say that a code family C is e-almost dual 
universal of maximum (minimum) dimension t , if the dual 
family C is e-almost universal of minimum (maximum) 
dimension t. 
Hence, accordingly, 

Definition 5: A linear function family T = {f r \r G /} is 
e-almost dual universal, if the kernels C r of f r form an e- 
almost dual universal code family. 

An explicit example of a dual universal function family 
(with e = 1) can be given by the modified Toeplitz matrices 
(Example 2) mentioned earlier [18], i.e., a concatenation 
(X, I) of the Toeplitz matrix X and the identity matrix I. This 
example is particularly useful in practice because it is both 
universal and dual universal (c.f., Fig. [U, and also because 
there exists an efficient algorithm with complexity O(nlogn). 

Indeed, since Condition coincides with dD, it seems it is 
enough to use only Condition (|6). In the case of Example 1, 
a large part of Kernels of M r takes their dimension to be the 
maximum dimension n — rn of the code family. Then, Kernels 
of M r forms an e-almost universal code family of maximum 
dimension n — m with e = 1. 

However, when we consider e-almost dual universal family 
of hash functions, our situation becomes more complex. In the 
case of Example 1, a large part of dual codes of Kernels of 
M r takes their dimension to be the minimum dimension m 
of the code family. In this case, the vector x belongs to the 
dual code of Kernel of M r if and only if x can be written 
as a linear combination of row vectors of M r . Hence, we can 
show that 

Pr[x G (KerMr) 1 ] < 2 m ~", 

which implies that {Af r |r G /} is an e-almost 2 dual universal 
code family function family with e = 1. Hence, Condition (O 
is essential for e-almost dual universality2. 

With these preliminaries, we can present the following main 
theorem of this section: 

Theorem 1: Given an e-almost universal code family C 
of minimum dimension t, the dual code family C is a 
2(1 — 2 t ~™e) + (e — l)2 t -almost universal code family with 
maximum dimension n — t. That is, for Mx G FJ? \ {0}, the 
dual code family C 1 - satisfies 

Pr [x G C^] < (1 - 2 t -™e)2-* +1 + e - 1. (8) 

In other words, the code family C is also 2(1 — 2 t_ "e) + (e — 
l)2*-almost dual universal. 
Proof: For x, y G FJ , let 

p x := Pr [x G C^] , (9) 
V x := {ye¥' 2 l \(x,y)=0} = {x,0} ± , (10) 

where (x,y) denotes the inner product of x,y. Since #(V X \ 
{0}) = 2"- 1 - 1, 

2 t -"e(2"- 1 - 1) = 2t ~" £ 
yev x \{o} 

> Yl Pr [yeCV]. (11) 

vev x \{0} 
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Now, (i) If x E Cjr, it means that C r C V x , and we have 
dim(C r n V x ) = dimC r > t. Hence it follows that #(C r n 
V x \ {0}) = #(C r \ {0}) > 2* - 1. On the other hand, (ii) If 
we have dim(C r n V x ) > t — 1, and thus #(C r H Vi; \ 
{0}) > 2' -1 — 1, Because X^eViUo} P r lv e ^r] ^ s ec l ua l t0 
the average of the number of #(C r f)V x \ {0}), relations (i) 
and (ii) yields 

Pr [V e ^ ^P-( 2 * -!) + (!- P«)(2* _1 - 1) 

yeV4,\{0} 

=2 t " 1 +p x 2*- 1 -l. (12) 

Combining (TT) and O, we have 2*-"(2"- 1 - l)e > 2 4 " 1 + 
p x 2' _1 — 1, which leads to inequality ([§}. ■ 
Theorem 2: Inequality ([H} of Theorem[T]is tight. That is, for 
an integer t < n, an element xeFJ\ {0}, and a positive real 
number e < ^_^_ 71 , there exists an e-almost universal code 
family C with minimum dimension t satisfying the equality of 
©. 

In the above theorem, the real number e = i_ 21 _„ is the 
maximum number satisfying (1 — 2'~"e)2~ t+1 + e — 1 < 1. 

Proof: Fix a; € F 2 . Then define a code family .4 = 
{A r } in F 2 as follows. Choose randomly an i-dimensional 
subspace of V x — {y € FgKx, y) = 0}. That is, select t 
linearly independent elements from V x randomly, and let them 
span a subspace A r . Then one has: 

yeV x \{o}, Pr[j / eA r ] = 2 f_~_ 1 l . (13) 

We also define another code family B = {B r } as follows. 
First choose at— 1-dimensional subspace of V x randomly, 
and then include an additional basis element z $ V x to it, so 
that they form an f-dimensional subspace in total. Then the 
following inequalities hold: 

y E V x \ {0}, Pr [y e B r ] = ^_ ~ \ , (14) 

y£V x , Pt[yeB r ] = 2 t - n . (15) 

Finally, define a code family C — {C r } by combining A 
with probability p, and B with probability 1 — p, where p is 
defined by 

p:= (l-2*-V)2- t+1 +£-l. (16) 

One may wonder that this construction using probability p 
deviates from our definition of universal code family that 
each element C r is chosen with the uniform probability. One 
way to cure this problem is to include multiple copies of A and 
B in C. For example, if p = a/b with a, b 6 N, then construct 
C as a combination of a copies of A and b — a copies of B. 

From ( foi l, O, and ( fT5l l. it is straightforward to see that 
C is e-almost universal. Also note, since x g C^r holds only 
when A is chosen, we have 

Pr [x € C±] = p. (17) 

Hence, C indeed attains the equality of (O. ■ 
We give some useful examples of Theorems Q] and [2] We 
apply these results to several communication models in later 
sections. 



Corollary 1: The following relations hold for a code family 
C and the dual family C : 

1) If C is optimally universal, C is also optimally 
universal. In other words, an optimally universal fam- 
ily C is also optimally dual universal. 

2) If C is universal (i.e., 1-almost universal), C is 2- 
almost universal. In other words, a universal family C 
is also 2-almost dual universal. 

3) For e > 1, however, an e-almost universal family C is 
not necessarily e'-almost dual universal. That is, there 
is an example of an e-almost universal family C with 
maxj Pr[a; G C^r] = 1. 

Proof: Items 1 and 2 are obvious. For item 3, choose e 
so that the right hand side of (|8]l equals 1. ■ 

C. Case of sujective linear function family 

Some linear function families T = {f r : F^ — > F™ \ r E 1} 
consist only of surjective functions f r , i.e., functions f r 
satisfying Im f r = F™ for all r E I. In this case, it is straight- 
forward to show that the dimension of the corresponding code 
family C = {C r \ r E 1} is constant: dim C r — dim Ker f r = 
n — m. 

The goal of this subsection is to demonstrate that, for 
these particular families, the definitions and the theorems of 
the previous section concerning dual universal functions can 
be greatly simplified. We take this particular case, because 
we believe that it provides an intuitive picture on results of 
the previous subsections; e.g., the dual universality can be 
discussed directly without mentioning the corresponding code 
family C. However, at the same time, it should also be noted 
that there are many useful examples of non- surjective hash 
function families including Toeplitz matrices of Example 1. 
Hence in the rest of paper, we do not restrict ourselves to 
surjective function family; instead we consider general linear 
hash functions as defined in the previous subsection. 

We begin by defining duality of surjective function families: 

Definition 6: Given two surjective linear functions / : 
Fg F 2 n and g : F 2 l -> F 2 l ~"\ we say that / and g 
are dual functions if Ker/ = (Kei-g)- 1 , or equivalently, if 
Ker ff = (Ker/)- 1 . 

We note that a similar definition can be found in Ref. ||34| . It 
is straightforward to generalize this notion to function families: 

Definition 7: Given two function families consisting only 
of surjective functions and having the same index r E I, 

T = {/,. :F 2 l ^F™|re/}, 
G = { ffr :F^Fr m |re/}, 

we say that J- and Q are dual families, if f r and g r are dual 
functions for all r E I. 

Recall from Definition [5] that a function family T is e- 
almost dual universal iff the corresponding code family C = 
{C^r I r E 1} — {(Ker fr)- 1 | r E 1} is e-almost universal 2 . 
For a dual pair of surjective families T and Q, this is equivalent 
to the condition that C = {Kerg r |r E 1} is e-almost 
universal . Then by noting the definition of universality 2 given 
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in @, we can redefine the universality of surjective families 
in a simpler way: 

Definition 8: A surjective function family T is e-almost 
universal, iff its dual function family Q is e-almost universal 2 . 

Theorem Q] can also be simplified as: 

Corollary 2: If a surjective function family T — {/,. : 
FJf — > | r G /} is e-almost universal, then its dual 
function family Q = {g r : -> FJ" m |r G /} is 
2(1 - 2~ m e) + (e - l)2"- m -almost universal 

It is convenient to consider these statements in terms of 
matrices. Take an arbitrary pair of surjective linear functions, 
/ : F 2 l -> F™ and g r : F™ -> F 2 ^ m . Then / can be written as 
a matrix multiplication y = iM, with input x and output y, 
and with M being an to x n matrix. Similarly, g can also be 
expressed as y = xN with an (n — to) x n matrix N. Since 
the row vectors of M, N form a basis of (Ker/)- 1 , (Kerp) , 
respectively, we conclude that / and g are dual functions iff 
MN T = 0. 

Hence, a straightforward way of constructing a pair T, Q 
of dual family is as follows: First choose a code family C = 
{C^r I r G 1} of a fixed dimension. Then define functions / r 
by y — xG(C r ) with G(C r ) being the generating matrix of 
C r , and g r by y = xH(C r ) with H(C r ) being the parity 
check matrix. In this case, if J- is e-universal 2 , then one can 
guarantee that Q is e'-universal2, with e and e' related as in 
Theorem Q] 

One useful example that fits this construction is the family 
of all modified Toeplitz matrices, given as Example 2. In this 
case, the presence of the identity matrix I m maximizes rank 
M r and guarantees the surjectivity of the corresponding linear 
function. It is easy to see that the dual families are defined by 
N r = (7 n _ m ,T^), which is another class of modified Toeplitz 
matrices (note M r Nj = 0). 

Still, it should also be noted that there are many useful 
examples of non-surjective hash function family. For example, 
for the normal Toeplitz matrices of Example 1, the rank of 
T r ranges from zero to to depending on r (consider the case 
where its rows are periodic). Hence in the rest of this paper, we 
do not restrict ourselves to surjective function family; instead 
we consider general linear hash functions as defined in the 
previous subsection. 

D. Generalization to subcode, extended code, and code pair 
families 

For the application to quantum key distribution, it is conve- 
nient to generalize the concept of a universal code family to 
those C = {C 2jI .} consisting solely of extended codes of C\. 

Definition 9: Let C\ C F 2 be a fixed m-dimensional code. 
A code family C 2 = {C2,r I r G /} is called an extended 
code family of C\, if each C2, r is an extended code of C\, 
i.e., Vr G I, C\ C C2, r - An extended code family C of C\ 
is called an e-almost universal extended code family of C\ 
with minimum (or maximum) dimension t, if 

V.t G F'2 1 \ C u Pr [x G C %r ] = Pr [[x] C C 2) r] < 2^ ,l £, 

where [x] denotes the coset with the representative x in Fj jC\. 



By considering a universality of a dual code family of such 
extended code family, we are naturally led to the following 
definition of universal subcode families. 

Definition 10: Let C\ C Fj be a fixed m-dimensional code. 
A code family C2 = {Ci,r I r G 1} is called a subcode family 
of C\, if each C2, r is a subcode of C\, i.e., W G /, C2, r C C\. 
A subcode family C2 of C\ is called an e-almost universal 
subcode family of C\ with minimum (or maximum) dimension 
t, if 

Va; G Ci \ {0}, Pr [x G C 2 , r ] < 2*-™e. 

Definition 11: Let C\ C Fj be a fixed m-dimensional code. 
A code family C2 = \G2,r \ r E 1} is called a subcode family 
of Ci, if each C2, r is a subcode of Ci, i.e., W G /, C2, r C 
C\. A subcode family C2 of C\ is called an e-almost dual 
universal subcode family of G\ with minimum (or maximum) 
dimension t, if the extended code family C of is an e- 
almost universal extended code family of Cj 1 with maximum 
(or minimum) dimension n — t. Similarly, an extended code 
family C of C\ is called an e-almost dual universal extended 
code family of C\ with minimum (or maximum) dimension t, 
if a subcode family of is called an e-almost universal 
subcode family of C\ with maximum (or minimum) dimension 
n — t. 

One explicit construction of C 2 is to first let T> = {D r £ 
¥ 2 n \r G 1} be a universal code family with minimum 
dimension t, and then define generating matrix of C2, r G C 2 
by G(C 2 . r ) := G(D r )G{C\). For these types of codes as well, 
we can prove a theorem similar to Theorems Q] and |2] 

Theorem 3: Let Ci C be a fixed m-dimensional code, 
and C 2 be an e-almost universal subcode family C2 of C\ 
with minimum dimension t < to. Then the dual code family 
is a 2(1 — 2*~" l e) + (e — l)2 t -almost universal extended 
code (subcode) family of with maximum dimension n—t. 
That is, 

Vx G F 2 \ Ci 1 , Pr [x G C^] < (1 - 2*- m e)2- t+1 + e - 1. 

(18) 

In other words, the subcode family C2 is also a 2(1 — 2*~ m e) + 
(e— 1)2* -almost dual universal extended code family of C\. 

Moreover, for an integer t < to, an element x G F2 \ C^, 
and a positive real number e < Tz§r=m , there exists an e- 
almost universal subcode family C 2 of G\ with minimum 
dimension t satisfying the equality of ( IT8l . 

Proof: For an e-almost universal subcode (extended 
code) family C2 of C\, the equivalence relations C\ = 
Fg/Cj 1 = F™ hold. The proofs of the above theorems with 
F™ can be applied to this theorem. ■ 

Theorem 4: Let C\ C F 2 be a fixed m-dimensional code, 
and C2 be an e-almost universal extended code family C 2 
of C\ with minimum dimension t > to. Then the dual code 
family is a 2(1 - 2*""e) + (e - l)2 t " m -almost universal 
subcode family of with maximum dimension n — t. That 
is, 

Pr [x G C^r] < (1 - 2 t -"e)2- t+m+1 + e - 1 (19) 

for Vx G Cj 1 \ {0}. In other words, the extended code family 
C 2 is also a 2(1 — 2*~"e) + (e— l)2 t_m -almost dual universal 
subcode family of Ci. 
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Furthermore, for an integer m < t < n, an element x G 
Ci \ {0}, and a positive real number e < , there 

exists an e-almost universal extended code family C 2 of C\ 
with minimum dimension t satisfying the equality of (fT9l l. 

Proof: Similarly, for an e-almost universal extended 
code family C 2 of C\, the equivalence relations FJ/Cj = 
= FIp" 1 hold. Under this equivalence, C 2 , r /Ci can be 
regarded as subspace of F 2 ~ m with the minimum dimension 
t — m. The proofs of the above theorems with F 2 ~ m and the 
minimum dimension t — m can be applied to this theorem. ■ 

Furthermore, when the code C\ is randomly chosen, the 
concept of an extended code family {C 2!r } r can be gen- 
eralized to the following way. In this case, we define the 
property "e-almost universal" for a family of a pair of codes 

{Cl.r C C 2 ,r}r- 

Definition 12: A family of a pair of codes {C\. r C C2, r }r 
is called an e-almost universal code pair family with mini- 
mum (or maximum) dimension t when it satisfies the condition 

t = min dim C 2 r (max dim C 2 r ) 

r ' r 

Vz G F 2 l \ {0}, Pr [x G C 2 , r \ Ci,r] < 2 t_ ™e. 

Since any e-almost universal extended code family {C 2jr } r 
of the code C\ gives an e-almost universal code pair family 
{Ci C C 2iI .} r , the concept "e-almost universal code pair 
family" is generalization of "e-almost universal extended 
code family". 

Considering the dual codes, we obtain the following defini- 
tion. 

Definition 13: a family of a pair of codes {C\. r C C2, r }r is 
called an e-almost dual universal pair family with maximum 
(or minimum) dimension t if a family of a pair of codes 
{Cj, C C^~ r } r is an e-almost universal code pair family 
with minimum (or maximum) dimension n — t. 
Since any e-almost dual universal subcode family {C 2iI .} r of 
the code C\ gives an e-almost dual universal code pair family 
{C 2 . r C Ci} r , the concept "e-almost dual universal code pair 
family" is generalization of "e-almost dual universal subcode 
family". 

III. The ^-biased family 

Next, according to Dodis and Smith[9j, we introduce <5- 
biased family of random variables {W r }. For a given 5 > 0, 
a family of random variables {W r } on F 2 is called 8-biased 
when the inequality 

E r (E Wr {-l) x ' Wr ) 2 < 52 (20) 

holds for any x E F 2 , x 7^ 0. 

We denote the random variable subject to the uniform 
distribution on a code C E F 2 by Wc- Then, 

Ewo (-ir^ = |; 111% (2D 

Using this relation, we obtain the following lemma. 

Lemma 1: When a code family C — {C r C F 2 } r with 
minimum dimension n — m is e-almost dual universal, the 
family of random variables {Wc r } on F 2 is v e2~ m -biased. 



Hence an e-almost dual universal code family yields a 
5-biased family. For a partially eavesdropped random viable 
A and a (5-biased family of random variables {Wr} r that is 
independent from Eve's random variable, Dodis and Smith |9| 
proposed the protocol 

(A,W r ) i-> A + W r (22) 

for error correction with leaking partial information. In order 
to evaluate the leaked information of this protocol, they 
showed the classical version of the following lemma (Lemma 
|2}. Fehr and Schaffner [10] extended it to the quantum case in 
order to discuss the property of the protocol against a quantum 
attacker. 

In this section, with the help of Lemmas [TJ and [2] we 
evaluate the leaked information after the privacy amplification 
by an e-almost dual universal 2 code family. 

Given a classical-quantum state p A,E — ^ a P A (a)\a)(a\ (g> 
p E on Ha ® He, and a normalized state o E on He, Renner 
03) defines 

d 1 (A : E\p A > E ) := \\p A > E - p^ ® p E \\ x , (23) 

and 

d 2 (A : E\p A > E \\a E ) 

._ 2 -H 2 (A\E\p A - E \\a E ) _ J_ Ti ^ a Eyl/i p E( a Ey 1/4-^2 
H2(A\E\p A ' E \\<J E ) 

:= - log 2 Tr ((/ ® /J-Vy^/ ® a E )- l 'y 

H m i n (A\E\p A,E \\a E ) 
:= - log 2 || (I ® o- E )-^ 2 p A ' E (I ® a^)- 1 ^ || . 

As relations among these quantities, Renner [35, Lemma 5.2.3] 
shows 

d 1 (A : E\p A ' E ) <\f\A\\J d 2 {A : E\p A > E \\o E ) (24) 
H 2 {A\E\p\\a) >H min (A\E\p\\a) (25) 

For a distribution P w on ^4, we define another classical- 
quantum state p A > E * P w := Y, w P w (w)J2 a P A (a)\a + 
w)(a+w\®p E , which describes the output state of the protocol 
(l22l . Then, the following lemma holds. 

Lemma 2 ([10 Theorem 3.2]): For any c-q sub-state p A ' E 
on Ha ®He and any state a E on He, a 5-biased family of 
random variables {W r } on A satisfies 

E r d 2 (A : E\p A > E * P w r\\a E ) < ^-/MA^I^U^ 

(26) 

Based on the above lemma, we can evaluate the average 
performance of the privacy amplification by e-almost dual 
universal code family as follows. 

Lemma 3: Given a classical-quantum state p A - E on Ha ® 
He and a state a E on He- When {C r } is a e-almost dual 
universal code family with minimum dimension to, the family 
of hash functions {fc r }r satisfies 

Erd 2 (fcAA) : E\p A - E \\a E ) < e2 -^( a \ e \p a V) _ (2?) 

That is, any e-almost dual universal hash function family 
{fr} r satisfies the above inequality. 
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Using (l24l i and d25l l, we obtain 

E^fcM) ■ E\p A - E ) <e2^-^ 2 ^l B l^' B H CTB ) 

< £ 2^-hH^{A\E\p A - E \\<T E )_ 

(28) 

Thus we have obtained the e-almost dual universal version 
of Theorem 5.5.1 of Renner 11351 . Hence, the two-universal 
hashing lemma and other results as given in Renner [35 1 can 
be generalized to our e-almost dual universal hash functions. 
Note here that, as we have shown in Section [II] the conven- 
tional universal function family is a special case of our e- 
almost dual universal families. In the following, in order to 
distinguish the method given in Sections [VI] and IVIII we call 
this approach to the privacy amplification by e-almost dual 
universal code family, the <5-biased approach. 
Proof: Due to Lemma [2] we obtain 

E r d 2 (A : E\p A ' E * P w °r \\a E ) < £2 -™2- H2 ^ E ^ a \ 

(29) 

Now, we focus on the relation A = A/C x C = fc x C for 
any code C. That is, any a £ A can be uniquely specified by a 
coset element [a] = a + C and a codeword w £ C. We regard 
[a] as the hash value f(a) of a. Then, for Pw(w) = 2~ m , we 
obtain 

pA.E^pw = J- 2- m Y,P A (a)\a + w) A (a + w\®p E 

weC a 

= £2-">MH® E P A ([a})\[a]) F ([a}\^p E a] 
wee [a]eA/C 

= E 2~ m \w)w(w\® p fc{A) > E . 
wee 

In the second and the third lines, we used a new set of 
basis such that \cl)a = \w) w ® \[a]) f ■ Probability P A ([a\) 
denotes that of a coset element [a] occurring: P A ([a\) := 
^wec P A ( a + w )> an d similarly, p¥, the mixed state cor- 
responding to [a], i.e., pf a] := J2 w ec Pa+w Then b Y the 
definition of di, we have 

d 2 {A : E\p A ' E *P w °\\a E ) 
=2- m d 2 (fc(A) : E\pf°W> E \\a E ) 
=2- m d 2 (f c (A) : E\p A ' E \\a E ). 

Therefore, d29l implies 

E r 2- m d 2 (f Cr (A) : E\p A > E \\a E ) < e2 -™2-H^\m P A V) , 

which implies (|2~7| i. ■ 
Remark 1: One might think that the concept of "e-almost 
dual universal hash function family" is not needed because of 
the correspondence between an e-almost dual universal hash 
function family and a i5-biased family given in LemmaQ] How- 
ever, if we replace the terminology "e-almost dual universal 
hash function family" by the terminology "<5-biased family", 
we make a serious confusion by the following reasons. 

1) The concept of the "(5-biased family" is defined for a 
family of random variables while the concept of the "e- 
almost dual universal hash function family" is defined 
for a family of hash functions. It is confusing to use the 



terminology "<5-biased family" for describing a family 
of hash functions. 

2) The correspondence holds only when a (5-biased family 
is given as the uniform distribution on a code. Other 
5-biased families do not necessarily have such corre- 
spondence. 

3) If we study hash functions only in terms of the concept 
of the (5-biased family, their relation with universal hash 
functions family becomes obscure. 

IV. Permuted code family 

In some applications, our setting is invariant under permu- 
tations of the order of bits in W%. For example, in wire-tap 
channels which we consider in later sections, independent and 
identically distributed (i.i.d.) channels are assumed and thus 
the protocol is invariant under permutations of bits. Then a 
code C C has the same performance as any bit-permuted 
code of C. 

In order to formulate such situations, we introduce the 
permuted code family of a code C as a code family consisting 
of bit-permuted codes of C 

C c ■= {a(C)\a E S n }. (30) 

Here S n denotes the symmetric group of degree n, and a(i) = 
j means that a e S n maps i to j, where i, j g {1, ... ,n}. 
The code cr(C) is the one obtained by permuting bits of C 
by a permutation a; if x = (x\, . . . , x n ) £ C, then x a := 

(x ff (l), ■ ■ • ,£<r(n)) € tf(C). 

In what follows, we denote the distribution of the Hamming 
weight k of codewords in C by Pre; that is, the number of 
codewords with weight k contained in C is |C|Prc(fc). In 
order to characterize the permuted code family Cc, when the 
dimension of a code C is t, we define 

e k {C):= HP£cM 2 - t f I1 = ^ (31) 

(k) (k) 

e(C) := maxi< fc < n £ fe (C). (32) 

Lemma 4: The permuted code family Cc is e(C)-almost 
universal code family. 

Proof: Any code C £ Cc has the weight distribution 
Pre. By averaging them over all C £ Cc, we see that code 
family C also has the weight distribution Pre. That is, a code 
C £ Cc contains 2*Pre(fc) elements of weight k on average. 
On the other hand, the number of elements x £ F£ with 
weight k is (™), and due to the symmetry of Cc under bit 
permutations, each of them is contained in some C £ Cc 
with the same probability. Thus, an element x £ F£ with 
weight k belongs to the code C £ Cc with the probability 

^y^Y^ . By taking the maximum with respect to k, we can 

(k) 

show that any element x £ F£ belongs to the code C £ Cc 
with the probability e(C)2 t ~ n . Hence, we obtain the desired 
argument. ■ 
Theorem 5: For any 1 < t < n, there exists a i-dimensional 
code C £ F£ such that e(C) < n + 1. 

Proof: Let C be a universal code family. Then, 
Eefc(C) < 1. The Markov inequality yields 

Pr{e fe (C)>n + l}< — L- , (33) 
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and thus 

Pr{ ei (C) < n + 1, . . . , e n (C) < n + 1} C 

=Pr |J {e k {C)>n + l}<^-. 
w n + 1 

l<fc<rs 

Hence, there exists a code C such that 

e fe (C)<n+l (34) 

for k = 1, . . . , n. ■ 

Combining Lemma|4]and Theorem|5] we obtain the follow- 
ing proposition. 

Proposition 1: For any 1 < t < n, there exists a t- 
dimensional code C such that the permuted code family Cc 
is n + 1 -almost universal. 

Indeed, Shulman et al. [36| discussed the average of de- 
coding error probability under the permuted code family. 
However, we do not consider the average of decoding error 
probability, here. We show the relation with the concept of 
e-almost universal while they did not treat the relation with 
the concept. 

Similarly, we can define the permuted code pair family 
for a given pair of codes C 2 C C\ as the family of code 
pairs Cc 2 cd : = M^s) C o{C\)\a e S n }- We define 
e(Ci/C 2 ) := maxi< fc <„e fc (Ci) - £ fc (C 2 )|^|. As a gener- 
alization of Lemma [4] we obtain the following lemma. 

Lemma 5: The permuted code pair family Cc 1 /c 2 ' s 
e(Ci/C2)-almost universal code pair family. 

This lemma can be shown by the same discussion as the 
proof of Lemma [5] Furthermore, we can show the following 
theorem. 

Theorem 6: For any t < n and a code C 2 , there exists 
a t-dimensional code C\ £ F?> such that C 2 C C\ and 

e(d/C 2 ) <n + l. 

This theorem can be shown in the same way as Theorem [5] by 
choosing the code C\ from a universal extended code family 
of C 2 . 

Combining Lemma [5] and Theorem [6] we obtain the follow- 
ing proposition. 

Proposition 2: For any 1 < t < n and a code C 2 , there 
exists a t-dimensional extended code C\ of C 2 such that the 
permuted code pair family Cc 1 /c 2 15 an H+l-ahnost universal 
code pair family. 

Considering the dual codes, we obtain the following propo- 
sition. 

Proposition 3: For any 1 < t < n and a code C 2 , 
there exists a t-dimensional subcode C\ of C 2 such that the 
permuted code pair family Cc 2 /d is an n + 1-almost dual 
universal code pair family. 

Proposition [3] can be shown by substituting and 
into C 2 and C\ in Proposition [2] In later sections, we use 
these results for showing the existence of deterministic hash 
function that work universally for quantum wire-tap channels. 

V. Application to error correcting codes 

In this section, as a preliminary for later section, we apply 
the results of Section [TT] to error correction. We use a code 
C £ C chosen randomly from an e-almost universal code 



family C for error correction, and show that it indeed serves 
as a good code. As previous work, for example, Brassard 
and Salvail applied universal 2 codes in the context of infor- 
mation reconciliation (Ref. [4], Theorem 6). Muramatsu and 
Miyake have also studied a similar problem using a somewhat 
generalized definition of universal hash functions 11331 . Here 
we present a much simpler evaluation by employing a more 
restrictive condition for the family of codes than ll33l . 

We consider a noisy channel with the additive noise, and 
denote the probability that the noise x 6 F£ occurs by P x {x). 
We also denote by P x (k) the probability that an error with the 
Hamming weight k occurs. In this channel, the sender Alice 
uses an e-almost universal code family as error correcting 
codes. The receiver Bob applies the maximum likelihood 
decoder to his bits. In order to evaluate the performance of 
the decoder, we focus on the decoding error probability, i.e., 
the probability that the decoder makes a wrong guess. We 
denote this probability for a fixed code C by P e (C). From 
now on, we often treat a code C as a random variable that 
is randomly chosen with the equal probability from the e- 
almost universal code family C. For example, we denote the 
expectation of variable A with respect to the random variable 
C as Ecec^l- In this notation, the main purpose of this section 
is to evaluate EcecPe(C), i.e., the average of P e (C) when C 
is randomly chosen from C. 

First, for the sake of simplicity, we evaluate performance 
of the minimum Hamming distance decoder. Note that the 
decoding error probability of this decoder, Ec^cPhd(C), 
can be used as an upper bound on Ec^cPe{C), since the 
maximum-likelihood decoder provides the minimum decod- 
ing error probability P e (C). We assume that our e-almost 
universal code family C has the maximum dimension t max ; 
hence the decoder outputs i max bits, and the code rate is 
R = t max /n. Now suppose that a bit flip x of Hamming 
weight k occurs in the channel (i.e., an input w is mapped 
to w + x). In this case, success and failure of the decode 
by the minimum decoding is written by P\^(x : C). That 
is, the success (the failure) is denoted by Phd(x, C) = 
(Phd(^, C) = 1). Then the decoder fails if there exists another 
code element y E C with Hamming weight < k; in other 
words, if {y e F™ : \y\ <k,y^x}n{C\ {0}) ^ 0. Then, 

P hd (x,C)=l[{yeF™ : \y\ < k, y ? x} (1 (C \ {0}) ^ 0] 

< %6( C \{0»]> 05) 

v-\v\<k,yi^x 

where 1[A] is the indicator function defined to be 1 when A 
is valid and to be otherwise. For a fixed element y, due to 
Condition (0, any e-almost universal code family C satisfies 

E C ec 1[V S C] = Py[ V e C] < 2'°" - n e (36) 
for y 0. When averaged over C E C, combining d35l l and 
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d36l l, we can evaluate the average probability of Phd(x, C) 

E C ecPhd(x,C) < E CeC ]T ny^(C\{0})} 

y-\y\<k,y=£x 

< E CeC J2 %6(C\{0})] 

y.\y\<k 

= Ecec ^ eC 1 
y-\y\<k,y^o 

X E CeC l[yeC] 

y:\y\<k,y^0 

y:\y\<k,yjt0 
^ 2^nh(min{k /n.1/2}) 2^max — n ^ 

where the final inequality follows from the fact that 
EiU (") ^ 2" ,l ( min { fe /"> 1 / 2 » (see, e.g., Lemma 4.2.2 of 
[24 1). Also by noting the obvious bound EcecPhd(x; C) < 1, 
we have 



E C ecPhd{x;C) <e2 



-n[l-ft(min{|£c|/n,l/2})-ii] , 



(37) 



for e > 1, where [a] + := max{a, 0} for agl. 

Since the behavior of the minimum Hamming distance 
decoder is independent of parameter k, the bound d37| i can 
easily be generalized to the case in the following way where 
a weight distribution P x (k) of errors is given. 

E CeC P e (C) =E CeC P X (x)Phd(x;C) 

= P x (x)E cec PUx;C) 

x=£0e¥™ 

< £ pX ^ 2 - n l 1 - h '-min{\x\/nA/2})-B] + 

n 

= £ y^p^(^2 _n[1 ~' l(min{fe/n,:L/2}) ~- R] +. (38) 
fe=i 

As to the asymptotic behavior, one can easily see that, when 
the probability P x {k\l - h(mm{k/n,l/2}) > R + 5} 
approaches 1 for sufficiently small S > 0, the right hand side 
of d38l converges to zero. We note that Inequality (1381 is used 
in Ref. 11231 to prove the security of the BB84 protocol for the 
case of finite key lengths. 

Remark 2: The essential point for the above evaluation for 
Ec G cP e (C) is the exchange of the orders of JZx^o anc ^ Ecec- 
For a fixed error x, the e-almost universality2 guarantees the 
evaluation of the average EcecPhd(x; C) as ( 137) . If we fix a 
code C, we cannot obtain a similar evaluation. 

Next we consider the cases of finite n. In this case it 
is not easy to calculate similar bounds, hence we further 
assume that the channel is memoryless. That is, the probability 
distribution P x of errors x is assumed to be the binary 
distribution with probability p. In this channel, when p is 
less than 1/2, the maximum-likelihood decoder is equivalent 
to the minimum Hamming distance decoder. In this case, by 
modifying Gallager's bound for the random coding [11], we 
can obtain the following simple bound. 



Theorem 7: When P x (x) is given as the n-th independent 
and identical distribution of the distribution (1 — p,p), then the 
average decoding error probability of error correction using an 
e-almost universal code family C with maximum dimension 
imax = nR satisfies 



E Ce cPe(C) < min e s 2 

0<s<l 



-n[-sR+E (s,p)] 



where 



E (s,p) :=s-log 2 pT+j + (l-p) 



l + s 



(39) 



(40) 



This theorem is shown in Appendix [A] The function 
Eo(s,p) defined in <l40b is in fact the specialized form of 
Gallager's Eo(s,p) for the binary symmetric channel and the 
uniform input distribution ifTTj . Hence by using the method of 
ATI , the right hand side of (l39l can be used to evaluate the 
exponential decreasing rate of EcecPe(C) with respect to n 
as follows. 

Corollary 3: Under the same conditions as Theorem [7] 
EcecPe{C) can be bounded from above as 

-nE{R,p) max { £j !} 



VcecPe(C) < 2- 
where E(R,p) is Gallager's reliability function 

E(R,p) := max — sR + E (s,p). 

0<s<l 



(41) 



(42) 



In particular, E(R,p) is strictly positive for R < 1 — h(p). 

Proof of Corollary \3\ The first half of the corollary is 
obvious. Denote the argument of the maximum by Er(s, p) := 
-sR + E Q (s,p). Then E R (0,p) = 0, and 9_E R {s,p)\ s=0 = 
1 - h(p) - R> Oif R<1- h(p). Hence E R {s,p) attains its 
positive maximum value at s € (0, 1]. (Also see Ref. [11|.) ■ 

The exponential decreasing rate E(R,p) of d4Tb can also 
be verified from (|38"I) by using the type method [ 8 1 when p < 
1/2. For this purpose, we introduce the divergence function 
d(q\\p) :=q log | + (l-<?) log -j^. Since P x (k) <2- nd( -^P'> 
with q = k/n for the binary symmetric channel [8] and 
EL r „/2i pX ( k ) < 2- nd< - 1 / 2 ^\ the right hand side of 
can be evaluated as 



n[l-h(min{k/n,l/2})-R] + 



k=0 



<e(2~" ci(1/2||p) 
+ [n/2 + 1J 



max P 

0<k<n/2 



X 



(k)2 



-n[l-h(k/n)-R], 



<\n/2 + 2\e max 2 

0< 9 <l/2 



-n{[l-h(q)-R] + +d{q\\p)) 



-\n/2 + 2\e2' 



-nmin < <! < 1/2 [l-/i(i})-ij] + +d(ij||p) 



(43) 



One can see that the exponential decreasing rate of d43l 
indeed equals E(R,p) by using the relation 



min [1 - h(q) - RL 

0<g<i/2 



d(q\\p) = max —sR + Eo(s,p). 

0<s<l/2 

(44) 

The proof of this relation is given, e.g., in Csiszai-Korner [8| 
in a more general form. However, since a simpler proof of 
(l44l can be given by using the property of additive channels, 
we reproduce it in Appendix IE1 for readers' convenience. 
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Now, we consider the case where the sender and the receiver 
use a fixed i-dimensional code C that satisfies the condition 
of Theorem|5j i.e., a code C whose permuted code family Cc 
is (n + l)-almost universal. If the error distribution P x is 
permutation invariant, e.g., if the channel is binary symmetric, 
we have P e (C) — P e (a(C)) for any permutation a e S n , 
which implies that P e {C) = E crg s ii P e (a(C)). In other words, 
one may evaluate P e (C) as if the code family Cc were actually 
used. Thus, by applying ( |39l and by noting n + 1 > 1, we 
obtain the inequality 

Pe(C) < (n + l)2- nE{R ' p) (45) 

with R = t/n. Note that the code C satisfies this inequalities 
for any p. 

In the rest of this section, we show that the above results 
also hold for the case where the information is encoded by 
the coset C\jC 2 of two given codes C\ and C2 satisfying 
C2 C Ci C FJJ. These codes are used for constructions of the 
quantum Calderbank-Shor-Steane (CSS) codes, and for this 
reason, they are often called the classical CSS codes. In this 
section, we restrict ourselves to the following type of classical 
communication. A message to be sent is a coset [x] 6 C1/C2, 
and when the sender wants to send [x], she chooses an element 
randomly from the set x + C 2 with the equal probability and 
sends it. On the receiver's side, Bob first applies the maximum 
likelihood decoder of C\ on the received sequence and obtains 
an element y G C%. Then, he obtains a coset [y] e C1/C2 
as the final decoded message. We denote the decoding error 
probability of this decoder by P e (Ci/C 2 ). 

We assume that the subcode C2 is fixed, and the larger 
code C\ is randomly chosen with the equal probability 
from the e-almost universal extended code family C of C2 
with maximum dimension i max - Again, the purpose of the 
following discussion is to evaluate ^CiecPe(Ci/C 2 ). By a 
similar argument as above, when the bit flip error occurs on k 
bits in the noisy channel, we can show that Eci£cPe(Ci / C 2 ) 

is leSS than m i n {2™Mmln{ft/n,l/2}) £2 W-n ij < 
e2 -n[l-fc(mi n {fc/n,l/2})-il] +i R ^ tmax /n for £ > 1. 

Thus, for any weight distribution P x of errors, we have 

n 

E Cl ecPe{C 1 /C 2 ) < e ^ j p^(fc)2-"[ 1 -' 1 ( min { fc /«4/2})-i?] + _ 

fc=0 

(46) 

If we further assume the channel is memoryless, as a 
generalization of Theorem [7] and Corollary [3] we have the 
following. 

Theorem 8: When P x (x) is given as the n-th independent 
and identical distribution of the distribution (1 — p,p), then 
an e-almost universal extended code family C of C2 with the 
maximum dimension t max = nR satisfies 

E Cl ecPe(Ci/C 2 ) < mm e s 2- n ^ sR+E ^ s ^l (47) 

0<s<l 

and thus 

E Cl ecP e (Ci/C 2 ) < 2- nE ^ max{ £ , 1}. (48) 

Further, the above inequalities are valid even with an e-almost 
universal extended code pair family {C% C C2}. 



This theorem is also shown in Appendix lAl in a way similar 
to Theorem [7] 

Finally, for a given code C2, we can choose another fixed 
code C\ satisfying the condition of Theorem|6] i.e., C2 C C\ 
and e{C\IC%) < n + 1. We then assume that the sender 
and the receiver use this fixed pair for error correction. 
If the distribution P x is permutation invariant, we have 
P e (Ci/C 2 ) = P e (a(Cx)/cr(C2)) for any permutation <r e S n , 
which implies that P e (C*i/C 2 ) = E £7e s 7i P e (CT(C*i)/CT(C* 2 )). 
Thus one may evaluate P^CxjC-i) as if the n + 1-almost 
universal permuted extended code pair family Cc 2 cCi were 
actually used. Applying d47l . we obtain the inequality 



P e (C*i/C 2 ) < (n + i)2- nE ( R >P\ (49) 



Note that the code C\ satisfies this inequality for any p. 



VI. Quantum key distribution 



In this section, we show the strong security when an e- 
almost dual universal hash function family is applied in the 
quantum key distribution (QKD). For this purpose, we apply 
the results of previous sections to the phase error correction in 
the security proof of quantum key distribution (QKD). Hence, 
we call this approach the phase error correction approach. 

In QKD, Alice and Bob need to perform a key distillation 
protocol to generate a secret key from the sifted key that 
they obtained as a result of the quantum communication. We 
consider the following type of the BB84 protocol using a 
function family T = {f r : F™ -> F 2 |r e 1} for privacy 
amplification. 
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BB84 protocol using universal hash function family: 

1) Alice and Bob establish sifted keys, and estimate 
the bit error rate by the usual procedure of the 
BB84 protocol, such as the one given in [37]. That 

is, 

a) Alice sends Bob qubit states chosen ran- 
domly out of {\0 Z ),\1 Z ),\0 X ),\1 X )}. 

b) Bob receives and measures them with ran- 
domly chosen bases {z,x}. 

c) By using the authenticated public channel, 
Bob announces his measurement bases for 
all qubits, and they keep only the bits for 
which they chose the same basis. 

d) They reveal randomly sampled bits over the 
public channel, and calculate the estimated 
bit error rate. If the rate is too high, they 
abort the protocol. 

As a result, Alice and Bob obtains sifted key 
kA,ks & ¥ 2 , respectively. 

2) Alice picks a random number ta € ¥ l 2 , and 
announces v = kA © G(Ci)r^, with © denoting 
XOR. 

3) Bob calculates Rb = fee © V and by correcting 
its errors using C\, he obtains R' B e C\. Then 
he calculate raw bit tb 6 ¥ l 2 satisfying Rb = 
G(Ci)rg. (Thus ta — ^b with high probability). 

4) Alice selects a linear universal function f r : 
F™ — > ¥ l 2 randomly and announces it to Bob. 
Then they calculate secret keys sa = fr(fA) and 
sb = U(r B )- 



By using the widely used proof technique due to Shor and 
Preskill El, Q3], 0J], flJD, the unconditonal security of this 
protocol has been shown for the case where T consists of the 
completely random linear functions RD . IT8l . On the other 
hand, by using the quantum de Finneti representation theorem, 
Renner proved the unconditional security of the BB84 protocol 
using universal hash functions for privacy amplification |35|. 
In this section, we present a security proof of the Shor- 
Preskill-type that holds with a weaker condition on T, i.e., 
with T being an e-almost dual universal family. Note that 
the condition on T is indeed relaxed, since, as shown in Sec. 
HH the universal function family is a limited case of e-almost 
dual universal families. 

Note also that our method has an extra advantage that, 
unlike in |35|, Alice and Bob do not need to perform random 
permutations of the sifted key bits. Conversely, if the random 
permutation is already implemented in one's QKD system, or 
if the channel is permutation invariant, our hash function can 
be replaced by the one using the deterministic code obtained 
in Theorem|6l since the permuted codes of this code pair form 
an (n + 1) -almost dual universal subcode pair family. 

For showing the security, it is convenient to rewrite the 
protocol in terms of the classical CSS code as follows. 



BB84 protocol using code family C 2 - 

1) Alice and Bob establish sifted keys kA,ks & ¥ 2 
by the same procedure as in the above protocol. 

2) Alice picks Ra € C\ randomly and sends v = 
kA © Ra to Bob over the public channel. 

3) Bob calculates Rb — v © fee, and by correcting 
its errors using C%, he obtains R' B g C%, (Thus 
Ra = R' B with high probability.) 

4) Alice selects code C 2 ,r randomly and announces 
it to Bob. They both obtain secret keys as cosets 
of C 2 , r , i.e., S a = Ra + C 2 .r, S B =R' B + C 2 , r - 

For the sake of simplicity, we will restrict ourselves to this 
protocol for the rest of this section. We begin by reviewing 
some of the known results and clarify notations. Assume that 
the quantum channel between Alice and Bob is given by an 
arbitrary quantum operation A, and thus the sifted key is 
affected by A. As discussed in ifTTl . |[T8l . since the above 
type of the BB84 protocol is invariant under twirling of qubits, 
without loss of generality, one may consider the Pauli channel 
At obtained by twirling the original channel A. The Pauli 
channel A t can generally be described by the joint probability 
distribution P xz of phase error and bit error (in this section, 
we call an error in the x basis the phase error, and in the z 
basis the bit error). That is, A t transforms an n-qubit state p 
to 

A t (p)= P XZ {x,z)Z x X z p{Z x X^ , (50) 

where 

Z x : = a* 1 ®-..®of», 
X z : = a Zl ® ■ ■ ■ ® a z x ™ 

with a x and a z being the Pauli matrices, and x = 
(xi, . . . , x n ), z = (zi, . . . , z n ) € {0,1}™. We denote 
the marginal distribution of phase error by P x (x) = 
Szgf™ P xz : (x, z). As in the previous section, P x (k) denotes 
the distribution of the Hamming weight k of x obeying P x (x). 

Next, before considering the secret key, we evaluate the 
security of the sifted key v as an illustration. The result 
here will also be used in later sections on wire-tap channels 
and randomness extraction. Let pa,e be Alice's and Eve's 
total system when the when the first step of the protocol 
(i.e., the quantum communication part) is finished. If one 
employs the security criteria that takes into account the uni- 
versal composability (351, the security of the sifted key can 
be evaluated by Eve's distinguishability ||/0a„e — PA <8> Psllp 
with pa := Tr ePa,e and pe ■= Tr^p^j^. Alternatively, 
one may evaluate the security by Eve's Holevo information 
X ■= Tr pA,E(Log pa,e— log pa® Pe)- These values are known 

3 Recall that, in our protocol, Alice is assumed to choose her 
sifted key uniformly. Hence pa.e can generally be described as 
PA,E ■= £«!,...,„„ ^rWi, ...,««)(«!,..., v w ] ® Pe{vi,---,v„), 
where p& (vi , . . . , v n ) denotes Eve's density matrix when Alice's 
sifted key is » = (vi , . . . , v n ). In this case, Tr ePA,e = 
J2 V1 ,...,»„ ^ \ V1 > ■ ■ ■ > v n}{vi , • ■ • , v„ I gives the fully mixed state. 
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to be bounded from above as JT7), IfTSlI 

\\pa,e-PA®Pe\\ x < 2^2/^ (51) 
X < r) n (P ph ), (52) 

where P p h is the phase error probability of the channel A t . 
That is, P p h := 1 — P x (x = 0"). The function r/„ is defined 

as 



Vn{x) 



—x log x — (1 — x) log(l — x) + nx 
1 + 



if x < 1/2 
if x > 1/2. 
(53) 

Now we turn to the security of the secret key. The only 
difference here is that the key is effectively sent through the 
quantum channel that is error-corrected by the quantum CSS 
code corresponding to the classical CSS code C\, C2. Hence 
by using essentially the same argument as above, the security 
can be evaluated by the phase error probability that remains 
after the quantum error correction. When one sees it in the 
phase basis (i.e., the x basis), this probability is given by the 
decoding error probability of the classical CSS code C^/Cj 1 , 
which we denote by P p h (C^/Cj 1 ). Then the security of the 
secret key can be evaluated as ifTTl , ifTSl 



\\PA,E- PA® PE^ < 2%/2 v / P ph (C 2 ± /Cf), (54) 

X < m{PMC*ICi)). (55) 

The same evaluation as d54T i has been done by Renes|34 
Theorem 5.1]. For the case of C\ — W 2 \ essentially the same 
relation was noted by Koashi |26| and Miyadera ||3T1 . 

Then we apply Theorem[8]to evaluate P p h (C^~ /C-j 1 ) . In our 
BB84 protocol, the subcode C2 C C\ is randomly chosen from 
an e-almost dual universal subcode family C with minimum 
dimension m — I of a fixed code C\. This corresponds to the 
case where the dual code C2 is chosen from the e-almost 
universal extended code family of the fixed code C± with 
maximum dimension n — m + l. Thus by applying inequality 
d461 l. we have 



-n[S-h(min{fc/n,l/2})] , 



k=0 



(56) 



where S = (m — l)/n is the sacrificed bit rate, i.e. the ratio 
of bits reduced by privacy amplification. Therefore, from j51t , 
(1521 , and from the concavity of x 1— > y/x, x 1— > rji, we have 



E C 2 GC \\PA,E - PA® PE 

<2V2 



\ 



k=0 

E c 2 ec X 

< m ( s y2pX^ 2 -n[S-h(imn{k/n,l/2})] + j _ 



(57) 



(58) 



fc=0 



In practical QKD systems, the weight distribution P x needs to 
be estimated from the bit error rate of sampled bits (see, e.g., 
[ 17 1, [ 18 1). If the phase error rate p p h = k/nis estimated to be 
less than a certain value p p h with the exception of a negligiblly 
small probability, and if S > h(p v \ i ), then the argument 



E2 -n[S-h(min{k/n,l/2})] + converges t0 zer0 for n _> qq. 

Asymptotically, it is sufficient to sacrifice n [h (p p h) + 6] bits 
by privacy amplification with an arbitrary S > 0. 

From the above argument, we see that for the security of 
QKD, it is sufficient to choose the code C2 from an e-almost 
dual universal subcode family of C\, while the existing 
results (e.g., 11351 ) guarantee the security only when the code 
C2 is randomly chosen from a universal subcode family of 
C\. Since a universal subcode family of C\ is a 2-almost dual 
universal subcode family of C\ (Theorem |4), our condition 
is strictly weaker than that by 11351 . 

It should also be noted that by setting C\ = FJf, our 
argument also applies to Koashi's proof technique [26 1; that 
is, random matrices appearing in Koashi's protocol can be 
replaced by an almost dual universal code family. 

Further, the above discussion can be extended to an e-almost 
dual universal subcode pair family of {C2 C C\}. Now, we 
choose m — I dimensional subcode C2 of C\ such that the 
dual code satisfies the condition of Theorem [6] When the 
Pauli channel is permutation invariant, this code satisfies (|57| > 
and d58]l with e = n + 1. 



VII. Quantum wire-tap channel 
A. Evaluation by phase error correction approach 

We apply our results of the previous section on QKD 
for showing the security in the quantum wire-tap channel 
model. In this model, the channel from Alice to Bob and the 
channel from Alice to Eve are both specified. Particularly, in 
this section, we assume that the channel from Alice to Bob 
is given by the n-multiple use of the Pauli channel which 
is described by the joint distribution P zx of bit error and 
phase error on a single qubit system. We also assume that 
phase error and bit error occur independently, and denote 
the phase error probability by p p h. This corresponds to a 
limited case of the Pauli channel discussed in the previ- 
ous section, i.e., P x " z '\x,z) = JT^i P X {xi)P Z {zi) with 
P x (l) = 1 - P x (0) = Pph- As to the channel to Eve, we 
assume that Eve can access all part of the environment system 
corresponding to this channel. 

Our goal is to show that Alice can send secret classical 
information via the quantum channel to Bob by the following 
coding protocol (c.f. the paragraph below (l45ll). First, Alice 
chooses a classical CSS code C%, C2. A message to be sent is 
a coset [x] £ C1/C2, and when the sender wants to send [x], 
she chooses an element randomly from the set x + C2 with 
the equal probability and sends it. On the receiver's side, Bob 
first applies the maximum likelihood decoder of C\ on the 
received bit sequence and obtains an element y € C\. Then, 
he obtains a coset [y] € C1/C2 as the final decoded message. 

From Eve's point of view, this protocol is equivalent to the 
situation where Alice sends her classical information [x] E 
GyjCi by encoding it to a state | [x]) of the quantum CSS code 
(see, e.g., Il37l ). Hence we can evaluate the security of [x] by 
the same argument as the previous section, i.e., by inequality 
(l54l or by d55l , depending on one's security criteria. By noting 
that the channel between Alice and Bob is i.i.d., we can apply 
a simple bound given in Theorem [8] Thus, if a fixed a code 
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C\, and an e-almost dual universal subcode family of C of 
C\ are used, the average of P p h (C^/Cj 1 ) satisfies 

Ec.ec^ph {Ct/Ci) < 2- nE ^ s ^ max{e, 1}. (59) 

Here t m i u = n(l — S) is the minimum dimension of C*2, and 
imax = is the maximum dimension of C^, which equals 
the sacrificed bit length. As one can see from Corollary [3] the 
exponential decreasing rate E (1 — 5,p p h) on the right hand 
side of ( |59l is strictly positive for £> > /i(f? p h)- By using j59l , 
the averages of Eve's distingushability \\pae — Pa® Pe\\i an d 
the Holevo information \ — Tr pae (log p^b — log pa® Pe) 
can be evaluated as 

Ec 2 ec\\pAE - PA® Pe\\i 
< 2 -i«£;(i-5, Pph )+| max | v ^ jl } j (60) 

E c 2 ec X 

(V"^ 1 " 5 '^ max{e, 1}) . (61) 
with I = dim C\ — t m [ n being the length of message. 

B. Deterministic universal hash function 

In fact, the above argument is valid even for a e-almost dual 
universal code pair family. Since our setting is permutation 
invariant, a deterministic code pair given in Proposition [3] 
can be used. That is, given a code C\, we can choose 
another i-dimensional subcode C2 such that C and 
e{C^/Ct) < n+ 1. Then by combining (@9), <E§, and (|55]>, 
we see that the security of C\, C2 can be evaluated as 

' Pe\\i <Vn + T 2-5«-E(i-^P P h)+f ; (62) 



where Hi- S (p) := ilog 2 (p 1 s + (1 — p) 1 s ) and u(e,n) 



\Pae ~ Pa 



X <m ((n + l)2- rljE(1 ~ S ' p p h) ) 



(63) 



with the message length I — dimCi — t. Note that the 
construction of code C2 is universal in that it does not 
depend on the value of p p h- Hence, the linear map defined 
by C\ — > C1/C2 can be regarded as a type of deterministic 
universal hash function which is secure for independent and 
identical applications of an arbitrarily given quantum Pauli 
channel. 

C. Comparison with S-biased approach 

Now, we treat the same setting as the above by using the 
5-biased approach. When the subcode C2 C C\ is chosen 
from an e-almost dual universal subcode family C of a 
fixed code C\, we can evaluate the average performance 
after the combination of the error correction by C\ and the 
privacy amplification by C2 by using Lemma [3] (the 5-biased 
approach). 

When e > 1, attaching the smoothing to Lemma|3] Hayashi 
derived the following inequalities: 

Ec 2 &c\\pae — PA® Pe\\i 
<(4 + (n + i)V2^P)2^ njE(1 - 5 ' p p h) (64) 
E c 2 ecX 

<Vn ((4 + (n + i)i/2^) 2 -^ nB ( 1 -' S 'Pp h )) (65) 
E c 2 ecX 

<2r ?u(E) „ ) (2 1 - nmax ^^ 1 ^7 (s--ffi-.(pph))) ) (66) 



e(n+l) 
4 log 2 



When e increases at most polynomially, ( f60b and 



d64l > give the same exponential evaluation: 

liminf — logEc 2 ||/3A£; - PA ® Pe\\i > \e(1 - S, p ph ). 

(67) 



However, for e > 1, 

rhs of mm 



0. 



(68) 



RHS of d64j) (4 + (n + l) 1 / 2 ^) 

Hence, we can conclude that the evaluation d60l ) by the phase 
error correction approach gives a better evaluation for \\pae — 
PA ® Pe\\i- 

In this case, d65l l yields the following exponential evaluation 
for x- 

liminf — logE C2ecX > - S, p ph ), (69) 

n— >oo n Z 



which is better than that of J66D. as is shown in Hayashi |22|. 
However, the evaluation ( |6TT > by the phase error correction 
approach gives the following: 

liminf — logE C2GCX > E(l - S, p ph ), (70) 

n— yoo ji 

which is twice of the above. Hence, in the case of QKD, we 
can conclude that the phase error correction approach is better 
than the (5-biased approach based on Lemma [3] 

VIII. Relation with existing results 
A. Comparison with existing results 

In order to compare our results of this section with existing 
ones, we here review the history of the studies of the infor- 
mation theoretic security. 

Wyner P4l . and Csiszar and Korner J7J showed the weak 
security with the wire-tap channel model in terms of Maurer 
and Wolf [ 30 1 . Csiszar (6) showed the strong security with the 
same model in terms of Maurer and Wolf [301. Hayashi lfl6l 
gave the concrete exponential decreasing rate for the strong 
security with the same model. These studies use completely 
random coding as privacy amplification process. That is, no 
linear functions are used in this process. Bennett et al. Q and 
Hastad et al. [15| proposed to use universal hash functions 
for privacy amplification. Maurer and Wolf ll30ll applied this 
idea to the secret key agreement, which is different setting 
form wire-tap channel. They showed the strong security with 
universal hash functions for privacy amplification. Based 
on these ideas, Hayashi EDI showed the strong security 
with universal hash functions when the sacrifice bit rate is 
greater than the mutual information I(A : E). Muramatsu 
and Miyake ll32l considered a more general condition [33 1 
than the e-almost universal functions of the code for privacy 
amplification. Under this condition, they showed the weak 
security However, Watanabe et al. [42 1 pointed out that their 
method cannot derive the strong security based on Hayashi's 
idea [19] in the case of secret key agreement from correlated 
source. Further, the impossibility of the strong security under 
the condition of e-almost universal will be shown in Theorem 
|9]by giving a counterexample. Overall, our concept "e-almost 
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universal" is a larger class of hash function families than any 
known classes of linear hash function families guaranteeing 
the strong security. 

B. e-almost dual universality>2 vs. e-almost universality i 

Finally, as mentioned earlier, we present an example of the 
classical wire-tap channel model that can vividly contrast the 
properties of the e-almost dual universality2 and the e-almost 
universality 2. Tomamichel et al. showed that when e converges 
to 1, any sequence of e-almost universal subcode families 
(of C\ = ¥%) guarantees the strong security J40l Lemma lfl. 
However, one sees that, if e > 2, an e-almost universal 
subcode family (of C\ — ¥%) cannot necessarily guarantee 
the strong security. In other words, the choice of the code 
C2 from an e-almost universal subcode family of C\ is not 
sufficient for the strong security. Note that we have shown 
in this section that the e-almost dual universality2 is indeed 
sufficient for this purpose. Hence, at least in the setting of this 
section, the e-almost dual universality2 is the more relevant 
criterion for security. 

Theorem 9: Assume that the channel from Alice to Bob is 
noiseless, and the channel to Eve is binary symmetric with 
error probability p. There exists an example of a 2-almost 
universal code family C for which the hash functions (i.e., 
F 2 l -> F2/C2 with C-2 € C) cannot guarantee the strong 
security. 

Proof: Choose an arbitrary universal code family C = 
{C 2 C F^ 1 }. Then define another code family C in Ff, 
consisting of C 2 ■= { x\\0 | x £ C 2 } with C 2 € C. Here, 
a\\b denotes the concatenation of a and b. Hence for any 
C2 £ C, there exists C 2 £ C , such that C2 consists of 
x E C 2 concatenated with a zero. Note that the code family 
C is obviously 2-almost universal, but its dual code family 
C cannot be e-almost universal for any e < 1, because 
x = 0...01 € C for all C e C x . 

When Alice transmits a coset [x] € F2/C2 as her secret 
message, she chooses x € [x] randomly and sends it to Bob. 
Due to our construction of C, the n-th bit of x is preserved 
in [x] as it is without being canceled by privacy amplification. 
Since Eve receives this n-th bit with the error probability p, 
Eve's mutual information regarding [x] is greater than 1 — h(p). 
Therefore, the strong security does not hold with these hash 
functions. ■ 

C. Deterministic universal hash function 

When there exist errors, one needs error correction as well 
as hash functions. Here we denote the code for error correction 
by C\ and the code for the hash function by C2. Then, the 
relation C2 C C\ holds. Now, we consider what kind of code 
pairs C2 C C\ yields the strong security. 

First note that the phase error correction approach has an 
additional advantage over the ^-biased approach; that is, the 
phase error correction approach allows us to use an e-almost 
dual universale code pair family C'2 C C\. 

4 Their <5 corresponds to e2 m when the bit length of final keys is m. 



Note also that the situation is quite different for the (5-biased 
approach, because it requires hash functions to be applied after 
error correction. That is, one needs to perform an e-almost 
dual universal code family to a fixed code space. Hence, 
the 5-biased approach can guarantee the strong security only 
with an e-almost dual universal subcode family of a fixed 
code C\. This relation among classes of code pair families 
are summarized in Fig. |2] 

In order to illustrate this advantage of the phase error 
correction approach with an example, let us take an arbitrary 
code C2, and choose a subcode C\ of C2 based on Proposition 
[3] Then, the permuted code pair family Cc' 2 cc\ is an ( n + 1)- 
almost dual universal code pair family, but is not an (n+1)- 
almost dual universal subcode family of a fixed code C±. 
Hence, as is discussed in Subsection IVII-BI for a given 
error correction code C\, the phase error correction approach 
guarantees the existence of a deterministic hash function that 
universally works for an independent and identical setting. In 
particular, if the error correcting code C\ universally works 
for additive errors given by an independent and identical 
distribution, the code pair C2 C C\ universally works for 
error correction as well as privacy amplification. 

However, in the ^-biased approach, it is impossible to 
construct such a deterministic hash function because this 
approach cannot treat the security for an (n + \)-almost dual 
universal code pair family. 

Finally, we explain the relation of our results to a univer- 
sal quantum CSS code found by Hamada iTPfll for sending 
quantum states. In his paper, he focused on an family of 
classical self-dual codes. Then combining qubits based on the 
bit basis and qubits based on the phase basis, he succeeded 
in constructing a universal quantum CSS code from a set of 
universal classical self-dual codes by choosing Cj 1 = C%. 
His code can be applied to QKD, where Alice can send 
information by using both of the bit basis and the phase 
basis. On the other hand, it cannot be applied to our quantum 
wire-tap channel model in a straightforward manner, where 
only the bit basis is used for sending the classical message. 
This is because our method employs two codes C\ and C2 
chosen separately. Our method for constructing a deterministic 
universal hash function would not work either, if we were to 
restrict our codes to self-dual codes. Recall that the key point 
of our method is the concept of a "permuted code pair family." 

IX. Conclusion 

In this paper, we have first introduced the concept of "e- 
almost dual universal hash function family". Then, we have 
shown that the class of e-almost dual universal hash function 
families includes the class of universal hash function families. 

Employing the relation between quantum error correction 
and the security, we have shown that application of e-almost 
dual universal hash function family yields the strong security. 
We have also mentioned that the results concerning the 8- 
biased family (9], iflOl imply this fact, while their original 
result does not refer the privacy amplification. 

We have compared these two approaches, i.e., the phase 
error correction approach and the ^-biased approach in the 
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Fig. 2. Relation among class of code pairs. 



following two points. As the first point, we have shown that the 
phase error correction approach yields a better security bound 
in terms of the trace distance and the Holevo information, 
than the <5-biased approach. As the second point, we have 
shown that the phase error correction approach guarantees the 
strong security with a larger class of protocols than the un- 
biased approach when we apply error correction as well as 
privacy amplification. 

In particular, as a byproduct, we have shown the existence 
of a universal code for privacy amplification with error correc- 
tion. Due to the above difference, the phase error correction 
approach can guarantee the existence of such a code, while 
the (5-biased approach cannot. 
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Appendix A 
Proofs of Theorems[7]and[8] 

First, we show Theorem [7] Due to the linearity, it is 
sufficient to evaluate the probability that the received signal 
is erroneously decoded to C \ {0} when € C is sent. Let 
P x ( x ) be the n-independent and identical extension of the 



distribution (1 — p,p). Since the phase error x occurs on n- 
bits sequence with the probability P x {x), applying Gallager's 
evaluation] 1 1 1 to this error probability, for < s < 1 and 
< a = ttt, we obtain 



P e (C) < £ P x (y) £ ' ' X 



yen 



,xGC\{0} 



= £«G/))^ £ (Px(y + ^ 

Thus, the error probability P(C) is bounded from above 
by this value. Any e-almost universal code family sat- 
isfies the inequality E Ce cY,xec\{o} P x(v + x )~ ^ 
e 2 t n">x-n F „ P x (y + x)~ . Taking the average concern- 
ing the family for C, we obtain the upper bound 

E CeC F e (C) 

<E cec £ Pxiy)^ ( £ p${v + x)-& 

<£ P ^)^ Ucec £ P x (y + x)^ 
yeFj \ xec\{o} 

< £ P x (y)^ £ p x (y + x)Th I , (7i) 

yfEFJ \ zGFJ / 

where the concavity of x i-> x s is used. Since the quantity 

^ £ 2*max-« J2 x&r ™ P x (y + z) 11 ^) does not depend on y, 

it can be replaced with ^£2 tmax ~" J^xewr* -Px( x ) T ^ 7 ) = 
£ s 2 st m ^-sn (j2 xe¥n Pxix)^)". Hence, the right hand side 
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of ( fTTl i becomes 



E ^W 1 * 1 



1+s 



=£ S 2 



E 



(72) 



From this, we obtain Theorem [7] 

Next, we show Theorem [8] Due to the linearity, it is 
sufficient to evaluate the probability that the received signal 
is erroneously decoded to C\ \ C 2 when Alice sends E C 2 . 
The difference from the above case is the derivation of d7Tl >. 
This part of derivation can be replaced as follows. 

E CieC Pe(C 1 /C 2 ) 

< E Ciec E Px(y)^ I E p x(y + ^ 

< E P x{y)^ [Ecxec E p x(v + x)^ 

< E p ^(y)^ e2 ' max ~" E F ^ (y + ^) ^ 

Combining this and (72), we obtain (gT]) and ((48]). This 
discussion can be extended to the case of e-almost universal 
extended code pair family. Thus, we obtain Theorem [8] 

Appendix B 
Proof of Equation (l44l) 

In order to prove this equation, it is convenient to introduce 
another binary distribution Pq = (pg, 1 — pg) that is derived 
from P = (p, 1 — p), where po is defined by 

P° 



^ pV + il-p) 6 

with the convention that p° = if p = 0. The distribution 
Pe, parameterized by a real number 9 > 0, is often called the 
exponential family of P. We also define a function ip(6) by 

il>(9) :=\og[p e + (l-p) e ] . 

Then the following relations are useful for simplifying calcu- 
lations of divergence d(p\\q) and entropy h(p). For 9 > 0, we 
have 

i//{0) = -d(p e \\p) - h(p e ), i>"(9)>0, 



h(pe) 
dh{p e ) 
d9 

d{jpe\\p) 
d{pe\\p) + h(p e ) 



-9^'(e) + m, 

-9^"{9) < 0, 

-i:(9) - (1 - 9)1/ {6), 



We shall make frequent use of these formulas in what follows. 
Note that E (s,p) can be rewritten as 



E (s,p) =s-(l + s)ip 



1 



1 



First, we prove Equation ( 144-b for the limited case where the 
minimum is evaluated over q = pg with < 9 < 1. 
Lemma 6: If R < 1 — h(p), 



min d(p e \\p) + [1 - h(p e ) - R} + = E(R,p). 



(73) 



Proof: Er(s,p) = —sR+Eo(s,p) is convex with respect 
to s, since E R (s,p) = (l+s)~V (1/(1 + s)) > 0. We define 
the critical rate R c by 



1 - h (p 1/2 ) 



such that, if R < R c (resp., R > R c ), then ^ff| s=1 > 

(-•esp- ^| s=1 <0). 

Then, if R < R c , the maximum of Er is attained at s = 1: 

E(R,p) = E R (l,p) = -R+ 1-2^(1/2) 

= d(pi/ 2 \\p) + 1 - h(p 1/2 ) - R 

= min d (pg\\ p) + 1 - h(p e ) - i?. 
o<e<i 

The last line follows by noting that d(pe||p) + 1 — /i(pe) — R 
attains its minimum at 9 = 1/2, since £g [d(pe\\p) — h[pg)] = 
(9 - 1/2)V"(0) with i)"(9) > 0. Also by noting that 1 - 
h(p 1 / 2 ) — R > for R < R c , we see that d73l ) is satisfied for 
R < R c . 

On the other hand, if R > i? r , we have ^ I < 0, and 
also ^-Ir 1 L > from R < 1 — h(p). Thus the maximum is 



as 



attained at s.r e (0, 1] satisfying 



Hence 



1 



1 



1 + SrI 1 + Sr 



1/ 



1 



1 + Sr 



0, i.e. 
= 1 - R. 



(74) 



E(R,p) = Er(sr, P ) 
1 \ 



V 1 , 

= d (p(i+s R )-A\p) 



1 + S fl V 1 + S -R 



1 



(75) 



Note that the condition d74l ) can also be written as 1 - 
h (p(i +Sfl )-i)--R = 0. Then by noting that cZ(p 9 ||p)-/i(p e ) is 
monotonically increasing for 1/2 < 9 < 1, whereas d(pe||p) 
decreasing, we see that the minimum of d73l is attained for 
6» = (1 + Sfl) -1 . Hence ([73j holds for R > R c as well. ■ 
Proof of Equation 11441 : Let 



Mi 
M 2 



min ii((7||p) 4 

0<q<l 

min d(p e \\p) 
o<e<i 



[1 - h(q) - R} + , 
- [1 - h{p e ) - R\_ 



Then from Lemma |6] it suffices to show Mi = M2. Since 
Mi < M 2 holds trivially, it remains to show Mi > M 2 . 

Denote the value of q attaining the minimum of Mi by q. 
Then we have 

d(q\\p) < d( Po \\p) (76) 
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since otherwise, 

M 1 > d(p Q \\p) + [1 - h{q) - R]+ 

> d(p Q \\p) + [1 - h( Po ) - R}+ >M 2 , (77) 

which contradicts Mi < M 2 . The second line of dTTI i follows 
by noting that h(q) < h(p ) with p being the uniform 
distribution. Note that this is true even when p = (resp. 
p — 1) because then q = (resp. q = 1) due to the condition 

d(q\\p) < oo. 

By a straightforward calculation, one can show that, given 
an arbitrary combination of p,q,9 satisfying d(q\\p) = 
d(pe\\p), 

h( Pe )-h(q) = d ^M (78) 

holds. From 1761 . d(q\\p) = d(pg\\p) holds for some 9 € [0, 1]. 
Then by using 1781 . we see that > h(q), and thus Mi > 

Mi. ■ 
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